Covert Copy: The Last Line of Defense Against Cyber Threats

Ransomware isn’t just about taking systems down anymore; it’s about disrupting recovery from potential disaster. Sophos’ State of Ransomware 2025 found that only 44% of organizations hit by ransomware were able to stop an attack before data was encrypted, meaning in most incidents, teams still end up fighting for recovery when it counts. Attackers know exactly where to apply pressure: backups.

We’re taking this topic live in an upcoming webinar because once attackers realize they can’t delete or encrypt your backup data, they pivot to the recovery path: mapping where backups live, targeting credentials and tooling, and preventing restores when it matters most. Keep reading for why immutability isn’t the finish line and how logically air-gapped design keeps a last clean copy out of the blast radius. Then join the webinar to see how Wasabi Covert Copy delivers “invisible by design” in practice.

Ransomware tactics have changed, and your recovery plan has to keep up

A ransomware event rarely stops at encrypting the production environment and demanding payment. Attackers often try to steal sensitive data first and then encrypt, disable, or destroy the very systems you need to operate.

That’s why backups and recovery copies are now a common part of the attack path. If an attacker can interfere with recovery, even without deleting your data outright, they can block access to restore points, sabotage backup consoles, and slow or derail restores at the exact moment you’re trying to bring critical systems back online. For smaller and mid-sized organizations, that risk compounds fast: lean teams still have to meet compliance expectations and restore quickly, often while credentials, admin tools, and recovery workflows are under critical pressure.

Immutability belongs in a ransomware strategy, but on its own doesn’t solve a basic issue: visibility. If an attacker can find your backup data, they can plan around it. They may not be able to delete it, but they can still work to block or slow recovery by targeting admin credentials, compromising backup tools, and creating chaos in the environment.

If your recovery copy is visible to the same identities, systems, or processes that are exposed during an attack, you are still taking on risk. Many teams don’t realize how much of their backup posture depends on access controls that can fail at the worst possible time.

What logically air-gapped storage means in practice

Air-gapping used to be limited to physical separation. Tape. Offline media. Disconnected vaults. That approach is still effective, but it often comes with tradeoffs: extra steps, slower restores, and more operational overhead.

A logical air gap aims for the same end state through software controls: keeping a clean recovery copy isolated from standard access and admin paths so it’s harder to discover, target, and interfere with during an incident. Teams typically add this layer once immutability is in place because while immutability prevents deletion, it doesn’t prevent attackers from mapping the recovery environment, compromising credentials, and disrupting the tooling and control planes needed to restore.

The practical goal is simple: make sure a clean copy stays out of reach until you intentionally need it so recovery remains possible even when the rest of the environment is under pressure.

Covert Copy: A cloaking device for your data

That’s where Wasabi Covert Copy comes in. It’s designed for the scenario most backup strategies struggle with: compromised credentials, compromised tooling, and an attacker actively trying to interfere with your restore.

Covert Copy keeps a last clean copy locked and invisible, so it’s harder to discover and harder to disrupt while you stabilize the environment. The value isn’t “one more copy.” It’s that the copy you need most is not governed by the same visibility and access that attackers typically go after. Access is gated by design, so recovery is intentional and controlled, not dependent on whatever permissions and tooling happen to be working mid-incident.

If you’re reading this and asking, how does that play out in an actual incident? Our upcoming webinar is for you. This is your chance to pressure-test the assumptions your recovery plan is built on, especially the ones that only get tested when everything is already going wrong. Here’s what we’ll cover:

• The uncomfortable truth about immutable backups: why attackers may not be able to delete your data, but can still disrupt the recovery path when time matters

• What “covert” actually changes: how a locked, invisible recovery copy stays out of usual admin paths when credentials and tooling are under pressure

• Two recovery scenarios you’ll recognize: selective restores with time-limited access vs full restore workflows using Restore Mode, and what changes operationally between them

• The guardrails that keep recovery controlled: gated access, multi-user authorization, and time-boxed access windows

• Where it fits (and what it costs): the core use cases (backup, DR, compliance, MSP delivery) plus the cost considerations teams should understand before an incident

This webinar is a good fit if you’re responsible for keeping data recoverable during a security incident, including:

• IT leaders who own backup and recovery outcomes.

• Storage admins who manage S3 buckets and access controls.

• Security and compliance teams that need stronger guardrails for sensitive data.

• MSPs and cloud service providers building ransomware resilience into managed offerings.